ISO/IEC 27001 Information Security Management
- Certification >
- Management Systems e.g. ISO 9001 >
- ISO/IEC 27001 Information Security Management
Safeguarding your information with
I.S. EN ISO/IEC 27001
I.S. EN ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) within the context of an organisation. It includes requirements for the assessment and treatment of information security risks tailored to organisational needs.
The requirements of I.S. EN ISO/IEC 27001 are generic and applicable to all organisations, regardless of size, sector, or complexity.
NSAI provides accredited certification to I.S. EN ISO/IEC 27001, offering independent assurance that an organisation’s information security management system conforms to internationally recognised best practice.
Overview of I.S. EN ISO/IEC 27001:2023
I.S. EN ISO/IEC 27001:2023 reflects current information security and cybersecurity practices.
Annex A of the standard contains 93 information security controls organised under four themes:
-
Organisational controls
-
People controls
-
Physical controls
-
Technological controls
The standard adopts a risk‑based approach, requiring organisations to identify, assess, and treat information security risks in line with business objectives and stakeholder expectations.
Irish (I.S.), European (EN), and international (ISO) designations
In Ireland, ISO/IEC 27001:2022 is adopted as a national standard and published as I.S. EN ISO/IEC 27001:2023.
-
ISO/IEC 27001:2022 is the international standard published by ISO/IEC
I.S. EN ISO/IEC 27001:2023 is the identical Irish and European adoption of the same standard
There are no material differences between the content, requirements, or controls of ISO/IEC 27001:2022 and I.S. EN ISO/IEC 27001:2023.
Certification to ISO/IEC 27001:2022 is therefore equivalent to certification to I.S. EN ISO/IEC 27001:2023, and certification to either designation provides the same level of assurance and recognition.
NSAI certification is issued against the applicable standard designation while confirming conformity to the full requirements of ISO/IEC 27001.
What I.S. EN ISO/IEC 27001 requires
Certification to I.S. EN ISO/IEC 27001 requires organisations to demonstrate that they have:
-
Defined the scope of their information security management system
-
Identified information security risks and opportunities
-
Implemented appropriate controls through a documented risk treatment process
-
Assigned roles, responsibilities, and governance arrangements
-
Established processes for monitoring, internal audit, and continual improvement
Benefits of I.S. EN ISO/IEC 27001 certification
Compliance and trust
-
Protect sensitive and confidential information
-
Demonstrate conformity with legal, regulatory, and contractual requirements
-
Strengthen confidence among customers and stakeholders
Market advantage
-
Enhance credibility when tendering for contracts
-
Support entry into regulated and international markets
-
Demonstrate alignment with recognised best practice
Risk and cost management
-
Reduce the likelihood and impact of security incidents
-
Apply proportionate and effective security controls
-
Minimise financial, operational, and reputational impact
Organisational governance
-
Clarify responsibilities for information security
-
Strengthen management oversight and decision‑making
-
Improve consistency of security‑related processes
Relationship with data protection and GDPR
I.S. EN ISO/IEC 27001 can support organisations in managing information security risks relevant to personal data processing. While certification does not in itself demonstrate legal compliance, it can provide structured evidence of controls that contribute to meeting data protection obligations, including those under the EU General Data Protection Regulation (GDPR).
The I.S. EN ISO/IEC 27001 certification process
Certification with NSAI typically involves:
-
Application and quotation
-
Stage 1 audit (pre liminary assessment)
-
Stage 2 audit (certification assessment)
-
Ongoing surveillance audits
-
Recertification at defined intervals
Certification decisions are made independently in accordance with accreditation requirements.
How to apply for certification
Organisations may assess their readiness using the NSAI I.S. EN ISO/IEC 27001 self‑assessment questionnaire.
To request a quotation for I.S. EN ISO/IEC 27001 certification services, please complete the NSAI Request for Quotation form available on our 'Need a Quote' page and return it to certification@nsai.ie
Related Links:
European Commission - Protecton of personal data
Data Protection Commissioner - GDPR webpage
For further information see ISO/IEC 27003 ‘Information technology - Security techniques - Information security management system implementation guidance’
I.S. EN ISO/IEC 27001:2023 and ISO/IEC 27003 can be purchased at www.standards.ie
Learn More
- Get top management support
- Construct business case and Project Plan
- Define scope of system
- Conduct risk assessment and plan risk treatment
- Agree effective monitoring methodology and applicable KPI’s
- Train personnel
- Implement controls
- Operate and maintain ISMS
- Conduct audit of system and policies
- Management review
- Implement corrective actions and repeat as necessary
Context of the Organisation
- Needs and expectations of interested parties
- Scope of ISMS.
Leadership
- demonstration of leadership and commitment by top management.
- Establishment of ISMS policies.
- Assignment of roles, responsibilities and authorities.
Planning
- Information security risk assessment
- Information security risk treatment.
- Statement of applicability
- Information security objectives and plan.
Support
- Competence and awareness of personnel
- Communication
- Documented information.
Operation
- Operational planning and control
- Information security risk assessment.
- Information security risk treatment.
Performance evaluation
- monitoring, measurement, analysis and evaluation.
- Internal audit.
- Management review.
Improvement
- Nonconformity and corrective action
- Continual improvement.
Risk Treatment Controls
- Internal organisation
- Human resources
- Asset management
- Access control
- Cryptography
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development and maintenance
- Supplier relationships
- Security incident management
- Business continuity
- Compliance
I.S. EN ISO/IEC 27001 Information Briefing - 15th & 16th October 2018
Thank you to everyone who attended our most recent information briefing on this international standard.
If you were unable to attend and would like to stay informed of any upcoming events you can do so by subscribing to the NSAI ezine at NSAI.ie
(You will find the subscription service at the bottom of the home page)
You can view a copy of our most recent presentation here.
If you wish to receive a quotation for certification please complete the NSAI Request for Quotation form, available on our 'Need a Quote' page and return to certification@nsai.ie
- Applicant familiarises themselves with the requirements of the ISO/IEC 27001:2017 standard.
- Conducts a self-assessment - Download Self-Assessment Form 2017 or 2022
- Follow system implementation methodology
- Apply for Certification. - Download Request for Quotation form
- Send completed Request for Quotation form to certification@nsai.ie we will then return a quotation for certification specific to your organisation.
- To make a formal application sign the NSAI quotation and return to certification@nsai.ie
- NSAI auditor will make contact to agree phase 1 assessment dates
- Conduct certification audits
- Certification decision
If you wish to receive a no obligation quotation for certification to I.S. EN ISO/IEC 27001 please complete and return a copy of the Request for Quotation form available on our 'Need a Quote' webpage.